What happens if someone gets hold of your encrypted 1Password data? What would it take to “crack” it? From the beginning, we’ve designed the 1Password data format with the knowledge that some people would have their computers stolen. I want to briefly talk about one of those design elements: PBKDF2.

The abbreviation PBKDF2 stands for
“Password Based Key Derivation Function version 2” and does not stand for “Peanut Butter Keeps Dogs Friendly, Too”, but my dogs love peanut butter, and I do find the latter easier to remember. I need to remember “PBKDF2″ because it is a very important, though behind the scenes, part of your security.

PBKDF2 deliberately slows down the process of getting from a password to an actual decryption key. The idea is to make using automated password guessing tools, such as John the Ripper, impractical.
PBKDF2 strengthens what would otherwise the be weakest part of a system, your master password. PBKDF2 is called a “Key Strengthening Protocol” for this very reason.

It works by forcing the process that goes from your master password to the derived key go through a large number of complicated iterations. Each time through the data is transformed using an encryption process called HMAC-SHA1, and the resulting intermediate key is fed back into the whole thing again.

For our current (1Password 3) Agile Keychain format, we’ve set things to use 1000 iterations. [Update: changed to 10000 in November 2012] Without PBKDF2, password guessing program could try hundreds of thousands of passwords per second, with PBKDF2 that number is dramatically reduced because there is no way to test a possible master password without having to perform all of those operations. PBKDF2 may cause a fraction of a second delay for you when you enter your master password, but that fraction of a second quickly adds up when a password cracker is trying millions of passwords.

As the environment changes, we are beefing our use of PBKDF2 even more in our next data format. Today, a good master password in combination with our use of PBKDF2 protects your 1Password data, even if it falls into the wrong hands. [Update: There have been several adjustments to PBKDF2 settings since this article was first published, as can be seen by various articles on this blog that discuss PBKDF2]

Wow, Steven! You sure know how to ask tough questions. Fortunately this is something that we’ve been thinking about a great deal.

I think that scrypt is the best candidate successor to PBKDF2. However it doesn’t have the same level of review, standards compliance, nor the range of implementations for various platforms readily available.

We try to always use well tested and reviewed cryptographic implementations instead of “rolling our own”. PBKDF2 is available in standard libraries for every platform for which we develop. If we only needed to use 1Password OS X, then existing bcrypt and scrypt implementations could be used almost out of the box.

As we consider changes in the threat environment, things like this are always on our minds. There are difficult trade-offs, particular in abandoning the tried and true and becoming an earlier adopter of newer algorithms. On the other hand, there are good reasons why successors to PBKDF2 are being developed. All I can really say at the moment is that this is something we are paying a great deal of attention to.

You software is aweful… Only useful if you would like to purchase but if you dont you get remineded ever time you open you browser. Why cant I FIND you app in my Applications on my mac? very questionable tactics and make me want to never do business with your company.

The nag screen you describe doesn’t sound like it is coming from 1Password at all. Would you mind sending a screenshot of it us at support@agilebits.com?

1Password.app gets installed where ever you put it, typically in /Applications on the Mac, though components get added in other places for browser plug-ins. 1Password comes with an uninstaller. See http://help.agilebits.com/1Password3/uninstall.html for details.

Again, it really sounds like you are using something other than 1Password. So please do send that screenshot to us and we will try to figure out what is going on.

As for Mark, you don’t seem to understand the application at all, or whatever you’re doing on your computer. If you’re tech savvy, you would know that that nag screen isn’t coming from 1Password. So stop blaming and know you’re way around your system first.

I’m looking forward to trying out your software. Right now I’m using Keepass on Windows and KeepassX on Mac. It works and it’s free, so that’s what I’m using right now. But I’d still like to try out 1Password. I think the $59.99 price is the only thing keeping me away.

Give the 30 day free trial a try. There is no risk or commitment as we will never lock you out of your existing 1Password data (and you can always export from 1Password). After you’ve given it a try, contact us https://agilebits.com/contact_us and we will see what sorts of discounts you may qualify for.

I got 1Password for less than half that price. But even at the full price, i can guarantee that 1Password is one software that you cannot live without. I never have to use another password management tool at all.

It’s always tricky to find the right balance in these sorts of explanations. Particularly when different readers have different backgrounds. So I’m glad that I hit the mark with this one. Though I ask for forgiveness in advance for those cases where I don’t manage to do so.

What keeps a rainbow table from being useful? Say someone uses your “peanut butter” 1000 times on a dictionary list of easy passwords (1234, password, etc) and I get the CPU-intensive part out of the way, don’t I just have 1 comparison to make against the rainbow table? Or have you dumbed this down for us on the blog, and the number of iterations is itself random, so someone can’t pre-compute a rainbow table for 1Password.

The PBKDF2 part doesn’t defeat rainbow tables. Instead password “salting” is used for that purpose. Salt is some random material that is added to the password before encryption. So with a password like “pizza” if the salt is “98480198108” then what gets encrypted through the process is “98480198108pizza”. The salt isn’t kept secret, but it does mean that someone can’t pre-compute the password for “pizza” and then check for matches, because they would have to do that for all possible salts.